diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 15:03:33 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:40 +0200 |
| commit | 3cb348e46e5e356eb7e1fe44d1e35f1152865e28 (patch) | |
| tree | 9f1f09ba6204190aa8d8a49d311be4b83f7a1b09 | |
| parent | 83c49a3ef135141101b71037f315099d32219bbf (diff) | |
| download | openvpn-3cb348e46e5e356eb7e1fe44d1e35f1152865e28.tar.gz openvpn-3cb348e46e5e356eb7e1fe44d1e35f1152865e28.tar.xz openvpn-3cb348e46e5e356eb7e1fe44d1e35f1152865e28.zip | |
Minor cleanup in verify_cert:
- Removed envname variable
- Removed debug code
- Changed ERR_clear_error to tls_clear_error
- Changed verify_get_subject to match verify_get_serial more closely
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | ssl.c | 19 | ||||
| -rw-r--r-- | ssl_verify_backend.h | 16 | ||||
| -rw-r--r-- | ssl_verify_openssl.c | 24 |
3 files changed, 30 insertions, 29 deletions
@@ -315,7 +315,6 @@ int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { char *subject = NULL; - char envname[64]; char common_name[TLS_USERNAME_LEN] = {0}; const struct tls_options *opt; @@ -325,7 +324,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) session->verified = false; /* get the X509 name */ - if (verify_get_subject(&subject, cert)) + subject = verify_get_subject(cert); + if (!subject) { msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " "subject string from certificate", cert_depth); @@ -351,18 +351,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) } } + /* enforce character class restrictions in common name */ string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags); -#if 0 /* print some debugging info */ - { - struct gc_arena gc = gc_new (); - msg (M_INFO, "LOCAL OPT[%d]: %s", cert_depth, opt->local_options); - msg (M_INFO, "X509[%d]: %s", cert_depth, subject); - msg (M_INFO, "SHA1[%d]: %s", cert_depth, format_hex(cert->sha1_hash, SHA_DIGEST_LENGTH, 0, &gc)); - gc_free (&gc); - } -#endif - /* warn if cert chain is too deep */ if (cert_depth >= MAX_CERT_DEPTH) { @@ -424,11 +415,11 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) session->verified = true; done: - OPENSSL_free (subject); + verify_free_subject (subject); return (session->verified == true) ? 1 : 0; err: - ERR_clear_error (); + tls_clear_error(); session->verified = false; goto done; } diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index e6dfc59..ed6e62f 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -75,14 +75,20 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth, /* * Retrieve certificate's subject name, and place it in **subject. * - * Memory for subject is allocated in the process, and must be freed. + * The returned string must be freed with \c verify_free_subject() * - * @param subject Pointer to memory to be allocated for the subject * @param cert Certificate to retrieve the subject from. * - * @return \c 1 on failure, \c 0 on success + * @return a string containing the subject + */ +char *verify_get_subject (X509 *cert); + +/* + * Free a subjectnumber string as returned by \c verify_get_subject() + * + * @param subject The subject to be freed. */ -bool verify_get_subject (char **subject, x509_cert_t *cert); +void verify_free_subject (char *subject); /* * Retrieve the certificate's username from the specified field. @@ -104,7 +110,7 @@ bool verify_get_username (char *common_name, int cn_len, * Return the certificate's serial number. * * The serial number is returned as a string, since it might be a bignum. - * The returened string must be freed with \c verify_free_serial() + * The returned string must be freed with \c verify_free_serial() * * @param cert Certificate to retrieve the serial number from. * diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 8bc49d7..a1b25d0 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -73,16 +73,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) return verify_cert(session, ctx->current_cert, ctx->error_depth); } -int -verify_get_subject (char **subject, X509 *cert) -{ - *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); - if (!*subject) - return 1; - - return 0; -} - #ifdef ENABLE_X509ALTUSERNAME static bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) @@ -232,6 +222,20 @@ verify_free_serial (char *serial) OPENSSL_free(serial); } +char * +verify_get_subject (X509 *cert) +{ + return X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); +} + +void +verify_free_subject (char *subject) +{ + if (subject) + OPENSSL_free(subject); +} + + #ifdef ENABLE_X509_TRACK /* * setenv_x509_track function -- save X509 fields to environment, |